I have an ArcGIS 10.1 Server instance exposing secured mapservices on the Internet.
My need is to code down a client application (which I am currently building using the 3.3 version of the ArcGIS Javascript API) enabling the user to view those secured webservices:

My will is not to have the user prompted for EACH mapservice authentication because I already know that ALL of the mapservices belong to her/him and therefore are accessible by her/him under the same username&password.
In my idea, the prompt for credentials should appear just ONCE and therefore the JS code should feed credentials to each of the mapservice via some sort of RESTful login call.
To me it doesn't seem like the ArcGIS Server REST API is providing such a call...maybe I am wrong.

Is therefore this "RESTful" way to login to secured mapservices feasible with ArcGIS Server (making it possible to access secured services programmatically)?
If so, can any of you provide examples or links to web resources explaining this?

are you using arcgis security store and not windows auth?
–
Brad NesomJan 29 '13 at 17:41

@Brad Nesom for the moment my ArcGIS Server instance is using a built-in security store (with users and roles), but I'm planning to link the instance to an external LDAP server for authentication purposes
–
csparpaJan 30 '13 at 9:01

3 Answers
3

Basically, you will need to make users and groups, and give a particular User rights over certain services.

Once you have done that, then you need to use Token based security in your JavaScript Application. What this means is that, you ask the User for their UserName & password. That is sent to the ArcGIS Server, which validates the Credentials, and sends back a token. This token is used to validate the user whenever a resource is requested.

You as a programmer will send this token to every mapservice, query service etc.

I finally found what I was looking for: a proper ArcGIS Server web endpoint that I could use to generate tokens!

The call is this:

GET http://<arcgisserver_host:port>/arcgis/tokens?request=getToken&username=<usr>&password=<usr>&expiration=<token_lifespan>

which gives back the token into the HTTP response body, and one can send it along to any further request to secured resources without being prompted for credentials again. The token must be the value for the Cookie request header, as it is currently stored into a cookie on the client side.

But...damn! This token generator is NOT part of the ArcGIS Server REST API!!! I couldn't find it in the online API documentation! Where in the world could I found it???

This means that ArcGIS Server does not have a RESTful authentication framework.

In example, if we have this mapservice exposed under the ArcGIS REST API: /arcgis/rest/services/myDir/myMapService/MapServer/layers and we try to GET this resource, what we get from ArcGIS Server is a response having a 200: OK status code and an HTML document in the body (the HTML is a login form). From a would-be-RESTful login, I would expect that the request gave me back a 401: Authentication Required status code along with a WWW-Authenticate header...
I tested this whole thing out myself using a REST client program.

Sadly most "RESTful" implementations are not RESTful :) Some years ago I gave up on being super-strict about this because the truth is that most implementations are "REST-like". For your particular use case, I usually take a different approach. I use the built-in authentication system of choice and proxy open ArcGIS requests. So if I was handling authentication with Django autentication, or ruby's, or .net's or whatever, I use that system. Then, when that system says it is OK, you can proxy the requests to an internal ArcGIS server/port that is locked fom the outside world.
–
Ragi Yaser BurhumJan 31 '13 at 16:58

2

Hi @Ragi Yaser Burhum, you are right: we will never live in a fully RESTful world ;-) I also considered an approach like yours: I like the idea of having a proxy (which could also handle requests to webservices other than ArcGIS Server's, as well) but I'm in the need of keeping the complexity of the whole architecture as low as possible. So, after discovering that there IS a straight way to programmatically authenticate users to mapservices, I'll walk it! Thanks anyway!
–
csparpaJan 31 '13 at 17:22

The sample linked by Devdatta, while valid, is the pre-Identity Manager way of doing this and involves a lot more code that is necessary now that authentication for secure services is baked into the API.

I had just taken the sample link for ESRI's documentation. Can the documentation be updated to point to the new samples?
–
Devdatta TengsheJan 30 '13 at 3:22

1

Folks, thanks for your hints but I think you didn't get my point. The scenario is: my user is going to access N secured mapservices, which means he's going to be bothered N times with a login prompt. Because ALL user's mapservices can be accessed using the same credentials, I would like my app to ask JUST ONCE for them and then use them to automatically authenticate each mapservice. At this stage, I guess that I should use a proxy page to handle multiple mapservice auth with ArcGIS Server. Sounds good? Any more straightful alternative? Thanks in advance, hope I made my needs clear..
–
csparpaJan 31 '13 at 14:38